The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

suexec - pros and cons

Discussion in 'General Discussion' started by elleryjh, Apr 28, 2003.

  1. elleryjh

    elleryjh Well-Known Member

    Joined:
    Apr 12, 2003
    Messages:
    479
    Likes Received:
    0
    Trophy Points:
    16
    What are the pros and cons to running suexec with php and cgi? Are there any security concerns?
     
  2. howard

    howard Well-Known Member

    Joined:
    Apr 20, 2003
    Messages:
    233
    Likes Received:
    0
    Trophy Points:
    16
    from a security pov there are several pro points

    mail gets sent out as user@hostname.server.tld rather than nobody@hostname.server.tld so there less work to do as you do not have to compare the apche logs w/the exim logs to see what generated the mail

    You can have tighter permissions as each php/perl file is read / written by its specfic owner rather than the generic nobody user

    You can enforce resource limitations such as memory consumption / cpu usage on a per site basis (e.g. a a busier site may have higher resource limits and a not-so-busy site may have a lower one) so that a badly written script can't disrupt everyone sites which maybe hosted on the same server

    Cons are that some php stuff don't work when its running as cgi (e.g. using php_value type stuff in a .htaccess)

    You may initally encounter some problems with ownership/permission issues however error_log and suexec_log are very helpful with this (you may however wish to keep a eye on the size of suexec_log)
     
  3. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    cgi suexec a must to have

    phpsuexec still experimental , avoid it ! Use instead
    php safe mode on .
     
  4. dariofg2

    dariofg2 Well-Known Member

    Joined:
    Mar 7, 2003
    Messages:
    63
    Likes Received:
    0
    Trophy Points:
    6
    I've been using phpsuexec for a month or two now, and it's great! I noticed the CPU usage going up a notch, though. Not sure how much of that is related to phpsuexec.

    -Dario
     
  5. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    Sorry but can you explain why it's great ?
     
  6. dariofg2

    dariofg2 Well-Known Member

    Joined:
    Mar 7, 2003
    Messages:
    63
    Likes Received:
    0
    Trophy Points:
    6
    Well, it worked as expected and better. First, the fact that PHP runs as the account user adds heavily to security. Just yesterday a buggy user script started mailing messages like crazy and I was able to determine which account it belonged to right away, instead of seeing "nobody" as the sender. You can also check if a script is using too much CPU or running for too long through top or ps.

    Also, the account scripts can have restrictive permissions (as restrictive as 400!) and run just fine, protecting them from other users in the same server. They don't even have to have execute permissions as I first thought. Suexec also does some extra security checks, like running scripts which do not belong to the user, which have world-write perms or are inside world-writeable directories. And the data files those scripts use can have safe access modes as well, protecting sensitive information like database passwords or credit card numbers.

    -Dario
     
Loading...
Similar Threads - suexec pros cons
  1. glenn0
    Replies:
    4
    Views:
    287
  2. bilberh
    Replies:
    7
    Views:
    385
  3. vlee
    Replies:
    6
    Views:
    516

Share This Page